Krebs on Security

In-depth security news and investigation

Stealthy, Razor Thin ATM Insert Skimmers

An increasing number of ATM skimmers targeting banks and consumers appear to be of the razor-thin insert variety. These card-skimming devices are made to fit snugly and invisibly inside the throat of the card acceptance slot. Here’s a look at a stealthy new model of insert skimmer pulled from a cash machine in southern Europe just this past week.

The bank that shared these photos asked to remain anonymous, noting that the incident is still under investigation. But according to an executive at this financial institution, the skimmer below was discovered inside the ATM’s card slot by a bank technician after the ATM’s “fatal error” alarm was set off, warning that someone was likely tampering with the cash machine.

A side view of the stainless steel insert skimmer pulled from a European ATM.

“It was discovered in the ATM’s card slot and the fraudsters didn’t manage to withdraw it,” the bank employee said. “We didn’t capture any hidden camera [because] they probably took it. There were definitely no PIN pad [overlays]. In all skimming cases lately we see through the videos that fraudsters capture the PIN through [hidden] cameras.”

Here’s a closer look at the electronics inside this badboy, which appears to be powered by a simple $3 Energizer Lithium Coin battery (CR2012):

The backside of the insert skimmer reveals a small battery (top) and a tiny data storage device (far left).

Flip the device around and we get another look at the battery and the data storage component. The small area circled in red on the left in the image below appears to be the component that’s made to read the data from the magnetic stripe of cards inserted into the compromised ATM.

Virtually all European banks issue chip-and-PIN cards (also called Europay, Mastercard and Visa or EMV), which make it far more expensive for thieves to duplicate and profit from counterfeit cards. Even still, ATM skimming remains a problem for European banks mainly because several parts of the world — most notably the United States and countries in Asia and South America — have not yet adopted this standard.

For reasons of backward compatibility with ATMs that aren’t yet in line with EMV, many EMV-compliant cards issued by European banks also include a plain old magnetic stripe. The weakness here, of course, is that thieves can still steal card data from Europeans using skimmers on European ATMs, but they need not fabricate chip-and-PIN cards to withdrawal cash from the stolen accounts: They simply send the card data to co-conspirators in the United States who use it to fabricate new cards and to pull cash out of ATMs here, where the EMV standard is not yet in force.

This angle shows the thinness of this insert skimmer a bit better.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries with a total deployment of more than 640,000 cash machines, European financial institutions are increasingly moving to “geo-blocking” on their issued cards. In essence, more European banks are beginning to block the usage of cards outside of designated EMV chip liability shift areas.

“Fraud counter-measures such as Geo-blocking and fraud detection continue to improve,” EAST observed in a report produced earlier this year. “In twelve of the reporting countries (two of them major ATM deployers) one or more card issuers have now introduced some form of Geo-blocking.”

Source: European ATM Security Team (EAST).

As this and other insert skimmerattacks show, it’s getting tougher to spot ATM skimming devices. It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots.

Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Are you as fascinated by ATM skimmers as I am? Check out my series on this topic, All About Skimmers.

This entry was posted on Thursday, August 21st, 2014 at 3:59 pm and is filed under All About Skimmers.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

88 comments

I am wondering why so many users have such a great concern and actually use ATM’s so frequently. I carry two credit cards when traveling any great distance from my residence, I notify my credit card companies that I will be traveling to XXX for a specific period and that any unusually large purchases or out of character purchases be flagged for verification. When near home or at home I use bank drafts/checks/cheques for the majority of my purchases. I also use a debt card or credit card at some limited point of sale purchases and on purchases done via the INTERNET. On Point of Sale purchases I always use a form of payment that requires my signature. I have not had any need to use any ATM in over 10 years. My bank has informed me that a reversal can be done for any questioned check/debit/EFT, or Credit purchase as long as I conform to timely notice for each specific type of demand against my account. What and why is there a big demand for ATM usage?

Yes, I do use cash, but only for small impulse purchases. For cash I negotiate a check at my local bank (which is 7 miles from my residence) when my wallet seems a tad too thin, though I have found that for the past 10 years I seem to be able to use less than $100/ month. Most stores I frequent actually appreciate that for purchases I use a check.

Again, I fail to see the addiction to ATM’s when there are safer alternatives.

In the UK at least nowhere’s accepted cheques for about 5 years now, since the introduction of chip-and-pin. That doesn’t answer your question directly but just thought I’d highlight the fact that in western Europe at least cheques are pretty much obsolete, used only for sending money as a gift in a birthday card.

You have to applaud the technical ability of the criminal, these are impressive devices to design and install. Luckily, if the bank has an effective anti-skimming device installed, this will detect the threat and immediately take the ATM out of service.

Our company develop and install our own anti-skimming device, the ASD-8, this device will detect these thinner skimmers due to the multiple sensors and equipment we install. Our device not only takes the ATM out of service, but reports the threat immediately – so panic not, if the bank is protecting their ATM, we’ve got it covered.

There is a news story about these razor thin skimmers on our website cennox.com